Options
Another xadso problem... please help
Hi,
This is my first message here
I've seen some people complaining about this spyware and now it's my time to complain :P
I think a few things are suspicious, but as I've never done this before, I didn't want to misdelete something and screw it up. What should I do?
Thanks in advance
Logfile of HijackThis v1.98.2
Scan saved at 20:31:58, on 20/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Borland\InterBase\bin\ibguard.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Arquivos de programas\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\ARQUIV~1\Winco\WINCON~1\WINCOGAT.EXE
C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe
C:\Arquivos de programas\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Mixer.exe
C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
C:\Documents and Settings\leo\Configurações locais\Temp\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Arquivos de programas\SpywareGuard\sgmain.exe
C:\j2sdk1.4.2_05\bin\java.exe
c:\arquiv~1\popfile\popfileib.exe
C:\Arquivos de programas\SpywareGuard\sgbhp.exe
C:\DOCUME~1\leo\CONFIG~1\Temp\OraInstall2004-10-20_07-42-52PM\jre\bin\javaw.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Download\spyware\HijackThis.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Acrobat Reader 6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Arquivos de programas\SpywareGuard\dlprotect.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [Office XP crack (nao remover)] C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Office10\zera_oxp.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\ARQUIV~1\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Winconnection4] C:\ARQUIV~1\Winco\WINCON~1\vpn_tray.exe
O4 - HKLM\..\Run: [WinConnection] C:\ARQUIV~1\Winco\WINCON~1\wc_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [bhswuygdoedpz] C:\WINDOWS\system32\wqcvla.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\leo\Configurações locais\Temp\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe
O4 - Startup: Tomcat.lnk = C:\jakarta-tomcat-5.0.27\bin\startup.bat
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Atualiza MP3.lnk = C:\atualizamp3.bat
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Arquivos de programas\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run POPFile.lnk = C:\Arquivos de programas\POPFile\runpopfile.exe
O4 - Global Startup: Service Manager.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=cc20f929261c5866fc5514e828fcb8fc6999e722299069d26f4c79cac0dae6efc9c7c5ee84ce6231d7680129b5ae66ff2168d1ff8a5308fe92dd50eb54c88162:bd8863bd1d4c50f2f5f6bb2aff93338e
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22483d517b1821934b15/netzip/RdxIE601_br.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B4B81D6-87CB-4E7D-A160-A1CE13D9528D}: NameServer = 200.149.55.142 200.165.132.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{B93BE790-B1E0-4657-B52B-7849BFF722A1}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B4B81D6-87CB-4E7D-A160-A1CE13D9528D}: NameServer = 200.149.55.142 200.165.132.154
This is my first message here
I've seen some people complaining about this spyware and now it's my time to complain :P
I think a few things are suspicious, but as I've never done this before, I didn't want to misdelete something and screw it up. What should I do?
Thanks in advance
Logfile of HijackThis v1.98.2
Scan saved at 20:31:58, on 20/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Borland\InterBase\bin\ibguard.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Arquivos de programas\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\ARQUIV~1\Winco\WINCON~1\WINCOGAT.EXE
C:\Arquivos de programas\RealVNC\VNC4\WinVNC4.exe
C:\Arquivos de programas\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Mixer.exe
C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
C:\Documents and Settings\leo\Configurações locais\Temp\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Arquivos de programas\SpywareGuard\sgmain.exe
C:\j2sdk1.4.2_05\bin\java.exe
c:\arquiv~1\popfile\popfileib.exe
C:\Arquivos de programas\SpywareGuard\sgbhp.exe
C:\DOCUME~1\leo\CONFIG~1\Temp\OraInstall2004-10-20_07-42-52PM\jre\bin\javaw.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Download\spyware\HijackThis.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Acrobat Reader 6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Arquivos de programas\SpywareGuard\dlprotect.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [Office XP crack (nao remover)] C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Office10\zera_oxp.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\ARQUIV~1\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Winconnection4] C:\ARQUIV~1\Winco\WINCON~1\vpn_tray.exe
O4 - HKLM\..\Run: [WinConnection] C:\ARQUIV~1\Winco\WINCON~1\wc_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [bhswuygdoedpz] C:\WINDOWS\system32\wqcvla.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\leo\Configurações locais\Temp\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Arquivos de programas\SpywareGuard\sgmain.exe
O4 - Startup: Tomcat.lnk = C:\jakarta-tomcat-5.0.27\bin\startup.bat
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Atualiza MP3.lnk = C:\atualizamp3.bat
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Arquivos de programas\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run POPFile.lnk = C:\Arquivos de programas\POPFile\runpopfile.exe
O4 - Global Startup: Service Manager.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=cc20f929261c5866fc5514e828fcb8fc6999e722299069d26f4c79cac0dae6efc9c7c5ee84ce6231d7680129b5ae66ff2168d1ff8a5308fe92dd50eb54c88162:bd8863bd1d4c50f2f5f6bb2aff93338e
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22483d517b1821934b15/netzip/RdxIE601_br.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B4B81D6-87CB-4E7D-A160-A1CE13D9528D}: NameServer = 200.149.55.142 200.165.132.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{B93BE790-B1E0-4657-B52B-7849BFF722A1}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B4B81D6-87CB-4E7D-A160-A1CE13D9528D}: NameServer = 200.149.55.142 200.165.132.154
0
Comments
O4 - HKLM\..\Run: [Office XP crack (nao remover)] C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Office10\zera_oxp.exe
That is very likely a problem.
A crack would not be running in the startup Reg's. It would run once, do whatever it needed to do to crack the software (modify a reg, change a data file, or modify the exe) and then it would never have to run again.
This item indicates that you are trying to crack licensed software, and is very likely the cause of your problems. Very often, cracks and "warez" found on websites or in Peer-to-Peer nets are bogus. Very often, they contain viruses, trojans, hijacks, spyware, adware, etc. They disguise themselves as cracks for desirable software like games or Office applications in order to attract gullible users...and I am sorry to say, but you fell for it.
So, you need to stop looking for freebies wherever you found this one.
Let's go ahead and fix your problem. If you are not sure how to do some of the things I tell you, check the links I provide for instructions. You may want to print these instructions out for easy reference.
Set your system to Show Hidden Files and folders.
For Windows XP or ME, Disable System Restore.
Reboot into Safe Mode.
Run Hijack This. FIX THE FOLLOWING:
**************
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [Office XP crack (nao remover)] C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Office10\zera_oxp.exe
O4 - HKLM\..\Run: [bhswuygdoedpz] C:\WINDOWS\system32\wqcvla.exe
**************
Stay in Safe mode, manually locate the exe and dll files in the entries above, and quarantine them.
Reboot normally, check things out, and come back to let us know how it turned out. Post a fresh HJT log for review. If things looks clean, re-enable your system restore and set a new restore point.
Dexter...